RE: Black magic Authentication Digest and JDBC Realm on Tomcat 4 .0.3

[John Niven <Jo...@marcat.com>]

> -----Original Message-----
> From: PATTUS Jean-Philippe [mailto:jppattus@sogitec.fr] 
> Sent: 12 June 2002 14:49
> To: tomcat-user@jakarta.apache.org
> Subject: TR: Black magic Authentication Digest and JDBC Realm 
> on Tomcat 4 .0.3 
> 
> 
> Nobody for my little pb, should i try black magic?
> 
> > -----Message d'origine-----
> > De:	PATTUS Jean-Philippe [SMTP:jppattus@sogitec.fr]
> > Date:	mercredi 12 juin 2002 10:46
> > À:	tomcat-user@jakarta.apache.org
> > Objet:	Authentication Digest and  JDBC Realm on Tomcat 4.0.3
> > 
> > Hello,
> > I'm working on Tomcat 4.0.3.
> > i'm trying to put an authentication on my web app,
> > if the auth-method is BASIC and 
> > the Realm is       
> > <Realm  className="org.apache.catalina.realm.JDBCRealm" debug="99"
> >              driverName="oracle.jdbc.driver.OracleDriver"
> > 	     connectionName="Name"
> > 	     connectionPassword="Password"
> >           connectionURL="jdbc:oracle:thin:@host:1521:toto"
> >               userTable="userTable" userNameCol="userNameCol" 
> > userCredCol="userCredCol"
> >           userRoleTable="userRole" roleNameCol="roleNameCol" />
> > it works fine.
> > But, if i replace BASIC by DIGEST, my authentication is KO. 
> I've seen in
> > the
> > code that
> >  JDBCRealm::getPassword() always return null!!!  
> > 

Just an idea (I don't know) but this could be by design - if getPassword()
returns the hased-password, it's a potential security risk (an attacker
would "just" need to hash a dictionary until they came across a matching
hash).

Not sure how JDBCRealm deals with this, though...sorry.

> > How can i configure my Tomcat in order to have JDBC Realm 
> and Digest 
> > authentication???
> > 
> > Thanks
> > 

Well, don't know how useful I've been :(
Cheers
John

 --
John Niven
Please reply through mailing list

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>